Re: [Gen-art] Genart telechat review of draft-ietf-anima-bootstrapping-keyinfra-28

Alissa Cooper <alissa@cooperw.in> Wed, 16 October 2019 14:57 UTC

Return-Path: <alissa@cooperw.in>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E71BD12011F; Wed, 16 Oct 2019 07:57:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cooperw.in header.b=COLRUlAm; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=iUyLeGMC
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eNcmy3rfraIe; Wed, 16 Oct 2019 07:57:29 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C57E4120118; Wed, 16 Oct 2019 07:57:29 -0700 (PDT)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 3CBD321AEF; Wed, 16 Oct 2019 10:57:29 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute7.internal (MEProxy); Wed, 16 Oct 2019 10:57:29 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cooperw.in; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm1; bh=z iCoIGJXo8gyqn/IvpyKPm6wYAD7fxgvP9/CZy6t2DM=; b=COLRUlAmyLmgr9HLs YsNH0VoXcyJ0PBXsQGfKNM+UuXxAN5kWKDBx457LIzqc86TGbfMvoAIB4IPkF1TV yagfOn4YTu/TpWklztRi4JdM9FCJDaQ7vJxCI2FtiH0td/Bv+mdIGlNWfs3xjIjK 0IsHvpO2Rg79MxcUQ7gd2q04xS7CbsKuBjw+T1PrsJ0LMBp0ee2i+bWqOm4v7ATv fV1e3NBdIvmgKva2lwO2CDTHSGj0Wx+2P2ZNjM24aaW5e+7i8anCA6vooszjkTAk MisvCqnEO4E52egFvM+4vgaQpFBUbybVdKHI/Ut4LiSqaE6XWUuHljh4HAbAlAy0 GASnA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=ziCoIGJXo8gyqn/IvpyKPm6wYAD7fxgvP9/CZy6t2 DM=; b=iUyLeGMCndxVN6vu8p/0njOmS1AW3NZcqJ9jijLQiCbZu4+2b4OFi0DcO EXxUxP7RcY7tQMWyT1VJQGNXhp+Q6jjZuslLzuBoro7tzKylk9Yf0JTCA+5i3Svn H/2Uea6BTEVSy/zBZqqUtIvWexzMJJb9vw6fS1eTDFYaKlSJbhPyfbxWbGL7wfyL oHvzxa+5hCbbwhMiTq/bK+SiYdDQsWSB5eFhgaHNMb1xYITbzCW2algiSFxPWwPH d9Lha/E0D/6wN+9Y0BG3kI9X0wUlsDA0bhuwbKJzB7ttXJfJ6cW6Se3Jdv2KWTdh Q86AjBJBk+iwF08iNzV3BHq68JDzA==
X-ME-Sender: <xms:2C-nXebpAs1b7xRETBr_0Vg3qMA11cjcfRJRHF3vmIbEC7yx8V5MLQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrjeehgdekgecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpegtggfuhfgjfffgkfhfvffosehtqhhmtdhhtddvnecuhfhrohhmpeetlhhishhs rgcuvehoohhpvghruceorghlihhsshgrsegtohhophgvrhifrdhinheqnecuffhomhgrih hnpehivghtfhdrohhrghenucfkphepudejfedrfeekrdduudejrdekgeenucfrrghrrghm pehmrghilhhfrhhomheprghlihhsshgrsegtohhophgvrhifrdhinhenucevlhhushhtvg hrufhiiigvpedt
X-ME-Proxy: <xmx:2C-nXS2NWa5-gfrS9NPS3eU0GUcNtmedHXoL2LX124iVFUJJ9ErFdw> <xmx:2C-nXUXCKQGHjujNI3RWVNlDUNL8CUziwlUOH536ltvYSnNBGSdMOQ> <xmx:2C-nXdupTAucD5lr_8bTwwUtcbUFrirp8E4OjpfdCqKiYrGnVbiV4Q> <xmx:2S-nXTXGjN-iDQmuom7hQxfOXmucOkGBeS1g8rFSyCpzFlKBUZMenA>
Received: from dhcp-10-150-9-159.cisco.com (unknown [173.38.117.84]) by mail.messagingengine.com (Postfix) with ESMTPA id 3088580059; Wed, 16 Oct 2019 10:57:28 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Alissa Cooper <alissa@cooperw.in>
In-Reply-To: <00f001d5833c$52aacf60$4001a8c0@gateway.2wire.net>
Date: Wed, 16 Oct 2019 10:57:23 -0400
Cc: "gen-art@ietf.org" <gen-art@ietf.org>, "draft-ietf-anima-bootstrapping-keyinfra.all@ietf.org" <draft-ietf-anima-bootstrapping-keyinfra.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "anima@ietf.org" <anima@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <6CF1EF8F-EE0D-4BE6-B2C2-4C91883A881B@cooperw.in>
References: <157095596011.20750.2703747454081790983@ietfa.amsl.com> <00f001d5833c$52aacf60$4001a8c0@gateway.2wire.net>
To: tom petch <daedulus@btconnect.com>, Dan Romascanu <dromasca@gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/1fsGuVn5RsaILCWHNMbDfLZqnVI>
Subject: Re: [Gen-art] Genart telechat review of draft-ietf-anima-bootstrapping-keyinfra-28
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Oct 2019 14:57:32 -0000

Dan, thanks for your review. Tom, thanks for your response. I entered a DISCUSS ballot to make sure the issues with the YANG modules get fixed. I also noted the need for a response to the full Gen-ART review.

Alissa


> On Oct 15, 2019, at 5:40 AM, tom petch <daedulus@btconnect.com>; wrote:
> 
> Dan
> 
> I had a quick look at the YANG and it does indeed need some work IMHO.
> I have posted a separate e-mail listing what I saw.
> 
> Tom Petch
> 
> 
> ----- Original Message -----
> From: "Dan Romascanu via Datatracker" <noreply@ietf.org>;
> Sent: Sunday, October 13, 2019 9:39 AM
> 
>> Reviewer: Dan Romascanu
>> Review result: Ready with Issues
>> 
>> I am the assigned Gen-ART reviewer for this draft. The General Area
>> Review Team (Gen-ART) reviews all IETF documents being processed
>> by the IESG for the IETF Chair. Please wait for direction from your
>> document shepherd or AD before posting a new version of the draft.
>> 
>> For more information, please see the FAQ at
>> 
>> <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>;.
>> 
>> Document: draft-ietf-anima-bootstrapping-keyinfra-??
>> Reviewer: Dan Romascanu
>> Review Date: 2019-10-13
>> IETF LC End Date: None
>> IESG Telechat date: 2019-10-17
>> 
>> Summary: Ready with Issues
>> 
>> This document specifies automated bootstrapping of an Autonomic
> Control Plane
>> by creating a Remote Secure Key Infrastructure (acronym BRSKI) using
>> manufacturer installed X.509 certificates, in combination with a
> manufacturer's
>> authorizing service, both online and offline.
>> 
>> Christian Huitema and Jari Arkko have performed early reviews of
> previous
>> versions of the document for SecDir and Gen-ART. As far as I can tell,
> most if
>> not all of their major concerns concerning applicability and security
> have been
>> addressed in the latest versions. A few more minor issues described
> below would
>> better be clarified before approval.
>> 
>> I also observe that the document has consistent Operational
> implications but
>> there is no OPS-DIR review so far, as well as a YANG module and
> several other
>> references to YANG, but there is no YANG Doctors review. I hope that
> these will
>> be available prior to the IESG review.
>> 
>> Major issues:
>> 
>> Minor issues:
>> 
>> 1. The Pledge definition in section 1.2:
>> 
>>> Pledge:  The prospective device, which has an identity installed at
>>      the factory.
>> 
>> while in the Introduction:
>> 
>>> ... new (unconfigured) devices that are called pledges in this
>>   document.
>> 
>> These two definitions seem different. The definition in 1.2 does not
> include
>> the fact that the device is 'new (unconfigured'. Also, arguably
> 'identity
>> installed at the factory' may be considered a form of configuration.
>> 
>> 2. The document lacks an Operational Considerations section, which I
> believe is
>> needed, taking into consideration the length and complexity of the
> document.
>> There are many operational issues spread across the document
> concerning the
>> type and resources of devices, speed of the bootstrapping process,
> migration
>> pass, impact on network operation. I suggest to consider adding such a
> section
>> pointing to the place where these issues are discussed and adding the
> necessary
>> information if missing. Appendix A.1 in RFC 5706 can be used as a
> checklist of
>> the issues to be discussed in such a section.
>> 
>> 3. Section 5.4:
>> 
>>> Use of TLS 1.3 (or newer) is encouraged.  TLS 1.2 or newer is
>>   REQUIRED.
>> 
>> What is the reason for using 'encouraged'? Why not RECOMMENDED?
>> 
>> Nits/editorial comments:
>> 
>> 1. The Abstract includes:
>> 
>> 'To do this a Remote Secure Key Infrastructure (BRSKI) is created'
>> 
>> Later in the document BRSKI is idefined as a protocol. It would be
> good to
>> clarify if BRSKI = BRSKI protocol
>> 
>> 2. In Section 1 - Introduction, 3rd paragraph:
>> 
>> s/it's default modes/its default modes/
>> s/it's strongest modes/its strongest modes/
>> 
>> 3. Please expand non-obvious acronyms at first occurrence: EST
> protocol, LLNs,
>> REST interface, LDAP, GRASP, CDDL, CSR
>> 
>> 4. I would suggest alphabetic order listing of the terms in section
> 1.2
>> 
>> 5. Section 1.3.1 - a reference for LDevID would be useful
>> 
>> 6. Section 7:
>> 
>> s/Use of the suggested mechanism/Use of the suggested mechanisms/
>> 
>> 
> 
> _______________________________________________
> Gen-art mailing list
> Gen-art@ietf.org
> https://www.ietf.org/mailman/listinfo/gen-art